fix sorbet typings (#10975)

npm_and_yarn/lib/dependabot/npm_and_yarn/helpers.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "dependabot/dependency"
@@ -111,16 +111,22 @@ def self.yarn_version_numeric(yarn_lock)
       def self.pnpm_version_numeric(pnpm_lock)
         lockfile_content = pnpm_lock&.content
 
-        return PNPM_DEFAULT_VERSION if lockfile_content.nil? || lockfile_content.strip.empty?
+        return PNPM_DEFAULT_VERSION if !lockfile_content || lockfile_content.strip.empty?
+
+        pnpm_lockfile_version_str = pnpm_lockfile_version(pnpm_lock)
+
+        return PNPM_FALLBACK_VERSION unless pnpm_lockfile_version_str
+
+        pnpm_lockfile_version = pnpm_lockfile_version_str.to_f
 
-        pnpm_lockfile_version = pnpm_lockfile_version(pnpm_lock).to_f
         return PNPM_V9 if pnpm_lockfile_version >= 9.0
         return PNPM_V8 if pnpm_lockfile_version >= 6.0
         return PNPM_V7 if pnpm_lockfile_version >= 5.4
 
         PNPM_FALLBACK_VERSION
       end
 
+      sig { params(key: String, default_value: String).returns(T.untyped) }
       def self.fetch_yarnrc_yml_value(key, default_value)
         if File.exist?(".yarnrc.yml") && (yarnrc = YAML.load_file(".yarnrc.yml"))
           yarnrc.fetch(key, default_value)
@@ -253,9 +259,12 @@ def self.setup_yarn_berry
       # set to false. Yarn commands should _not_ be ran outside of this helper
       # to ensure that postinstall scripts are never executed, as they could
       # contain malicious code.
+      sig { params(commands: T::Array[String]).void }
       def self.run_yarn_commands(*commands)
         setup_yarn_berry
-        commands.each { |cmd, fingerprint| run_single_yarn_command(cmd, fingerprint: fingerprint) }
+        commands.each do |cmd, fingerprint|
+          run_single_yarn_command(cmd, fingerprint: fingerprint) if cmd
+        end
       end
 
       # Run single npm command returning stdout/stderr.
@@ -363,8 +372,12 @@ def self.package_manager_run_command(name, command, fingerprint: nil)
       end
       private_class_method :run_single_yarn_command
 
+      sig { params(pnpm_lock: DependencyFile).returns(T.nilable(String)) }
       def self.pnpm_lockfile_version(pnpm_lock)
-        pnpm_lock.content.match(/^lockfileVersion: ['"]?(?<version>[\d.]+)/)[:version]
+        match = T.must(pnpm_lock.content).match(/^lockfileVersion: ['"]?(?<version>[\d.]+)/)
+        return match[:version] if match
+
+        nil
       end
 
       sig { params(dependency_set: Dependabot::FileParsers::Base::DependencySet).returns(T::Array[Dependency]) }

npm_and_yarn/lib/dependabot/npm_and_yarn/package_manager.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "dependabot/shared_helpers"
@@ -139,11 +139,20 @@ def unsupported?
 
     DEFAULT_PACKAGE_MANAGER = NpmPackageManager::NAME
 
-    PACKAGE_MANAGER_CLASSES = {
+    # Define a type alias for the expected class interface
+    NpmAndYarnPackageManagerClassType = T.type_alias do
+      T.any(
+        T.class_of(Dependabot::NpmAndYarn::NpmPackageManager),
+        T.class_of(Dependabot::NpmAndYarn::YarnPackageManager),
+        T.class_of(Dependabot::NpmAndYarn::PNPMPackageManager)
+      )
+    end
+
+    PACKAGE_MANAGER_CLASSES = T.let({
       NpmPackageManager::NAME => NpmPackageManager,
       YarnPackageManager::NAME => YarnPackageManager,
       PNPMPackageManager::NAME => PNPMPackageManager
-    }.freeze
+    }.freeze, T::Hash[String, NpmAndYarnPackageManagerClassType])
 
     class PackageManagerDetector
       extend T::Sig
@@ -152,14 +161,14 @@ class PackageManagerDetector
       sig do
         params(
           lockfiles: T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)],
-          package_json: T::Hash[String, T.untyped]
+          package_json: T.nilable(T::Hash[String, T.untyped])
         ).void
       end
       def initialize(lockfiles, package_json)
         @lockfiles = lockfiles
         @package_json = package_json
-        @manifest_package_manager = package_json["packageManager"]
-        @engines = package_json.fetch(MANIFEST_ENGINES_KEY, nil)
+        @manifest_package_manager = T.let(package_json&.fetch(MANIFEST_PACKAGE_MANAGER_KEY, nil), T.nilable(String))
+        @engines = T.let(package_json&.fetch(MANIFEST_ENGINES_KEY, {}), T::Hash[String, T.untyped])
       end
 
       # Returns npm, yarn, or pnpm based on the lockfiles, package.json, and engines
@@ -202,17 +211,18 @@ class PackageManagerHelper
 
       sig do
         params(
-          package_json: T::Hash[String, T.untyped],
+          package_json: T.nilable(T::Hash[String, T.untyped]),
           lockfiles: T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)]
         ).void
       end
       def initialize(package_json, lockfiles:)
         @package_json = package_json
         @lockfiles = lockfiles
-        @manifest_package_manager = package_json[MANIFEST_PACKAGE_MANAGER_KEY]
-        @engines = package_json.fetch(MANIFEST_ENGINES_KEY, nil)
-        @package_manager_detector = PackageManagerDetector.new(@lockfiles, @package_json)
-        @installed_versions = {}
+        @package_manager_detector = T.let(PackageManagerDetector.new(lockfiles, package_json), PackageManagerDetector)
+        @manifest_package_manager = T.let(package_json&.fetch(MANIFEST_PACKAGE_MANAGER_KEY, nil), T.nilable(String))
+        @engines = T.let(package_json&.fetch(MANIFEST_ENGINES_KEY, nil), T.nilable(T::Hash[String, T.untyped]))
+
+        @installed_versions = T.let({}, T::Hash[String, String])
       end
 
       sig { returns(Ecosystem::VersionManager) }
@@ -287,9 +297,11 @@ def setup(name)
       def package_manager_by_name(name)
         name = ensure_valid_package_manager(name)
 
-        package_manager_class = PACKAGE_MANAGER_CLASSES[name]
+        package_manager_class = T.must(PACKAGE_MANAGER_CLASSES[name])
 
-        package_manager_class.new(installed_version(name))
+        installed_version = installed_version(name)
+
+        package_manager_class.new(installed_version)
       end
 
       # rubocop:enable Metrics/CyclomaticComplexity
@@ -302,27 +314,28 @@ def package_manager_by_name(name)
       sig { params(name: String).returns(String) }
       def installed_version(name)
         # Return the memoized version if it has already been computed
-        return @installed_versions[name] if @installed_versions.key?(name)
+        return T.must(@installed_versions[name]) if @installed_versions.key?(name)
 
         # Attempt to get the installed version through the package manager version command
         @installed_versions[name] = Helpers.package_manager_version(name)
 
         # If we can't get the installed version, we need to install the package manager and get the version
-        unless @installed_versions[name].match?(PACKAGE_MANAGER_VERSION_REGEX)
+        unless @installed_versions[name]&.match?(PACKAGE_MANAGER_VERSION_REGEX)
           setup(name)
           @installed_versions[name] = Helpers.package_manager_version(name)
         end
 
         # If we can't get the installed version or the version is invalid, we need to get inferred version
-        unless @installed_versions[name].match?(PACKAGE_MANAGER_VERSION_REGEX)
+        unless @installed_versions[name]&.match?(PACKAGE_MANAGER_VERSION_REGEX)
           @installed_versions[name] = Helpers.public_send(:"#{name}_version_numeric", @lockfiles[name.to_sym]).to_s
         end
 
-        @installed_versions[name]
+        T.must(@installed_versions[name])
       end
 
       private
 
+      sig { params(name: String, version: String).void }
       def raise_if_unsupported!(name, version)
         return unless name == PNPMPackageManager::NAME
         return unless Version.new(version) < Version.new("7")
@@ -375,6 +388,8 @@ def guessed_version(name)
 
       sig { params(name: T.untyped).returns(T.nilable(String)) }
       def check_engine_version(name)
+        return if @package_json.nil?
+
         version_selector = VersionSelector.new
         engine_versions = version_selector.setup(@package_json, name)